On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote: > Martin Kosek wrote: > > 2) In delegation.ldif: ipapermission object class is missing for > > removeentitlements and modifyentitlements (it has been added for > > addentitlements though) > > This was on purpose, I should have been clearer. Patch 664 makes major > changes to these and I'm trying to make the merge easier. I'll fix them > up when 664 gets pushed.
I thought so. I was confused by addentitlements permission which objectclass was updated. We just have to make sure, that the entitlements patch includes this new objectClass. > > > > > > > QUESTION: > > In this patch you add READONLY flag to Replica permissions. However it > > is not actually used and stays as just an informative flag. It won't > > prevent user from modifying/removing READONLY permissions. > > > > I guess enhancing permission-mod and permission-del of READONLY check > > will be a subject of another ticket? > > Ok, interesting point. I considered the aci itself to be read-only. The > only thing a user could do is rename the permission, right? I think that > would maintain consistency so it shouldn't be a problem. It would > probably be easy to really make these read-only but that would have a UI > impact as well, perhaps a problematic one. I suppose if they could > handle any read-only exceptions we'd raise that would be adequate. > > rob Yes, user could rename or delete permission. In both cases it won't have any effect to the ACI as ACI plugin does not see it. But I think it would be nice to prevent modifications to these permissions when we have this new and shiny READONLY flag. Read-only exception may be a way to achieve this... Martin _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel